[coreboot] New Defects reported by Coverity Scan for coreboot
scan-admin at coverity.com
scan-admin at coverity.com
Fri Jul 29 13:29:40 CEST 2016
Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
83 new defect(s) introduced to coreboot found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 83 defect(s)
** CID 1360527: Memory - corruptions (NEGATIVE_RETURNS)
/3rdparty/chromeec/common/charge_manager.c: 468 in charge_manager_refresh()
________________________________________________________________________________________________________
*** CID 1360527: Memory - corruptions (NEGATIVE_RETURNS)
/3rdparty/chromeec/common/charge_manager.c: 468 in charge_manager_refresh()
462
463 /*
464 * Zero the available charge on the rejected port so that
465 * it is no longer chosen.
466 */
467 for (i = 0; i < CHARGE_SUPPLIER_COUNT; ++i)
>>> CID 1360527: Memory - corruptions (NEGATIVE_RETURNS)
>>> Using variable "new_port" as an index to array "available_charge[i]".
468 available_charge[i][new_port].current = 0;
469 }
470
471 /*
472 * Clear override if it wasn't selected as the 'best' port -- it means
473 * that no charge is available on the port, or the port was rejected.
** CID 1353358: Control flow issues (UNREACHABLE)
/3rdparty/chromeec/common/lightbar.c: 502 in sequence_S3S0()
________________________________________________________________________________________________________
*** CID 1353358: Control flow issues (UNREACHABLE)
/3rdparty/chromeec/common/lightbar.c: 502 in sequence_S3S0()
496 #ifndef BLUE_PULSING
497 /* next sequence */
498 return LIGHTBAR_S0;
499 #endif
500
501 /* Ramp up to starting brightness, using S0 colors */
>>> CID 1353358: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "ci = st.p.s0_idx[st.battery...".
502 ci = st.p.s0_idx[st.battery_is_charging][st.battery_level];
503 if (ci >= ARRAY_SIZE(st.p.color))
504 ci = 0;
505
506 fmin = st.p.osc_min[st.battery_is_charging] * FP_SCALE / 255;
507
** CID 1353353: Memory - illegal accesses (REVERSE_NEGATIVE)
/3rdparty/chromeec/driver/usb_mux.c: 23 in usb_mux_init()
________________________________________________________________________________________________________
*** CID 1353353: Memory - illegal accesses (REVERSE_NEGATIVE)
/3rdparty/chromeec/driver/usb_mux.c: 23 in usb_mux_init()
17
18 void usb_mux_init(int port)
19 {
20 const struct usb_mux *mux = &usb_muxes[port];
21 int res;
22
>>> CID 1353353: Memory - illegal accesses (REVERSE_NEGATIVE)
>>> You might be using variable "port" before verifying that it is >= 0.
23 ASSERT(port >= 0 && port < CONFIG_USB_PD_PORT_COUNT);
24 res = mux->driver->init(mux->port_addr);
25 if (res)
26 CPRINTS("Error initializing mux port(%d): %d", port, res);
27
28 /* Apply board specific initialization */
** CID 1353345: (OVERRUN)
________________________________________________________________________________________________________
*** CID 1353345: (OVERRUN)
/3rdparty/chromeec/common/host_command_master.c: 82 in pd_host_command_internal()
76
77 /*
78 * Transmit all data and receive 2 bytes for return value and response
79 * length.
80 */
81 i2c_lock(I2C_PORT_PD_MCU, 1);
>>> CID 1353345: (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "MEC1322_I2C1" in call to "i2c_set_timeout".
82 i2c_set_timeout(I2C_PORT_PD_MCU, PD_HOST_COMMAND_TIMEOUT_US);
83 ret = i2c_xfer(I2C_PORT_PD_MCU, CONFIG_USB_PD_I2C_SLAVE_ADDR,
84 &req_buf[0], outsize + sizeof(rq) + 1, &resp_buf[0],
85 2, I2C_XFER_START);
86 i2c_set_timeout(I2C_PORT_PD_MCU, 0);
87 if (ret) {
/3rdparty/chromeec/common/host_command_master.c: 86 in pd_host_command_internal()
80 */
81 i2c_lock(I2C_PORT_PD_MCU, 1);
82 i2c_set_timeout(I2C_PORT_PD_MCU, PD_HOST_COMMAND_TIMEOUT_US);
83 ret = i2c_xfer(I2C_PORT_PD_MCU, CONFIG_USB_PD_I2C_SLAVE_ADDR,
84 &req_buf[0], outsize + sizeof(rq) + 1, &resp_buf[0],
85 2, I2C_XFER_START);
>>> CID 1353345: (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "MEC1322_I2C1" in call to "i2c_set_timeout".
86 i2c_set_timeout(I2C_PORT_PD_MCU, 0);
87 if (ret) {
88 i2c_lock(I2C_PORT_PD_MCU, 0);
89 CPRINTF("[%T i2c transaction 1 failed: %d]\n", ret);
90 return -EC_RES_BUS_ERROR;
91 }
/3rdparty/chromeec/common/host_command_master.c: 83 in pd_host_command_internal()
77 /*
78 * Transmit all data and receive 2 bytes for return value and response
79 * length.
80 */
81 i2c_lock(I2C_PORT_PD_MCU, 1);
82 i2c_set_timeout(I2C_PORT_PD_MCU, PD_HOST_COMMAND_TIMEOUT_US);
>>> CID 1353345: (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "MEC1322_I2C1" in call to "i2c_xfer".
83 ret = i2c_xfer(I2C_PORT_PD_MCU, CONFIG_USB_PD_I2C_SLAVE_ADDR,
84 &req_buf[0], outsize + sizeof(rq) + 1, &resp_buf[0],
85 2, I2C_XFER_START);
86 i2c_set_timeout(I2C_PORT_PD_MCU, 0);
87 if (ret) {
88 i2c_lock(I2C_PORT_PD_MCU, 0);
/3rdparty/chromeec/common/host_command_master.c: 97 in pd_host_command_internal()
91 }
92
93 resp_len = resp_buf[1];
94
95 if (resp_len > (insize + sizeof(rs))) {
96 /* Do a dummy read to generate stop condition */
>>> CID 1353345: (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "MEC1322_I2C1" in call to "i2c_xfer".
97 i2c_xfer(I2C_PORT_PD_MCU, CONFIG_USB_PD_I2C_SLAVE_ADDR,
98 0, 0, &resp_buf[2], 1, I2C_XFER_STOP);
99 i2c_lock(I2C_PORT_PD_MCU, 0);
100 CPRINTF("[%T response size is too large %d > %d]\n",
101 resp_len, insize + sizeof(rs));
102 return -EC_RES_RESPONSE_TOO_BIG;
/3rdparty/chromeec/common/host_command_master.c: 106 in pd_host_command_internal()
100 CPRINTF("[%T response size is too large %d > %d]\n",
101 resp_len, insize + sizeof(rs));
102 return -EC_RES_RESPONSE_TOO_BIG;
103 }
104
105 /* Receive remaining data */
>>> CID 1353345: (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "MEC1322_I2C1" in call to "i2c_xfer".
106 ret = i2c_xfer(I2C_PORT_PD_MCU, CONFIG_USB_PD_I2C_SLAVE_ADDR, 0, 0,
107 &resp_buf[2], resp_len, I2C_XFER_STOP);
108 i2c_lock(I2C_PORT_PD_MCU, 0);
109 if (ret) {
110 CPRINTF("[%T i2c transaction 2 failed: %d]\n", ret);
111 return -EC_RES_BUS_ERROR;
** CID 1353343: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1353343: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/common/battery.c: 45 in battery_is_present()
39 /**
40 * Physical detection of battery.
41 */
42 enum battery_present battery_is_present(void)
43 {
44 /* The GPIO is low when the battery is present */
>>> CID 1353343: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 28 by passing argument "GPIO_BAT_PRESENT_L" in call to "gpio_get_level".
45 return gpio_get_level(CONFIG_BATTERY_PRESENT_GPIO) ? BP_NO : BP_YES;
46 }
47 #endif
48
49 static const char *get_error_text(int rv)
50 {
** CID 1353329: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/common/host_command_master.c: 59 in pd_host_command_internal()
________________________________________________________________________________________________________
*** CID 1353329: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/common/host_command_master.c: 59 in pd_host_command_internal()
53 rq.command_version = version;
54 rq.reserved = 0;
55 rq.data_len = outsize;
56
57 /* Copy data and start checksum */
58 for (i = 0, c = (const uint8_t *)outdata; i < outsize; i++, c++) {
>>> CID 1353329: Memory - corruptions (OVERRUN)
>>> Overrunning array "req_buf" of 256 bytes at byte offset 256 using index "9U + i" (which evaluates to 256).
59 req_buf[sizeof(rq) + 1 + i] = *c;
60 sum += *c;
61 }
62
63 /* Finish checksum */
64 for (i = 0, c = (const uint8_t *)&rq; i < sizeof(rq); i++, c++)
** CID 1353327: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1353327: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/driver/als_opt3001.c: 34 in opt3001_i2c_write()
28 */
29 static int opt3001_i2c_write(const int reg, int data)
30 {
31 int ret;
32
33 data = ((data << 8) & 0xFF00) | ((data >> 8) & 0x00FF);
>>> CID 1353327: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "MEC1322_I2C2" in call to "i2c_write16".
34 ret = i2c_write16(I2C_PORT_ALS, OPT3001_I2C_ADDR, reg, data);
35
36 return ret;
37 }
38
39 /**
** CID 1353326: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1353326: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/driver/als_opt3001.c: 18 in opt3001_i2c_read()
12 * Read register from OPT3001 light sensor.
13 */
14 static int opt3001_i2c_read(const int reg, int *data_ptr)
15 {
16 int ret;
17
>>> CID 1353326: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "MEC1322_I2C2" in call to "i2c_read16".
18 ret = i2c_read16(I2C_PORT_ALS, OPT3001_I2C_ADDR, reg, data_ptr);
19 if (!ret)
20 *data_ptr = ((*data_ptr << 8) & 0xFF00) |
21 ((*data_ptr >> 8) & 0x00FF);
22
23 return ret;
** CID 1353323: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/common/pd_log.c: 176 in hc_pd_get_log_entry()
________________________________________________________________________________________________________
*** CID 1353323: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/common/pd_log.c: 176 in hc_pd_get_log_entry()
170 dequeue_retry:
171 args->response_size = pd_log_dequeue(r);
172 /* if the MCU log no longer has entries, try connected accessories */
173 if (r->type == PD_EVENT_NO_ENTRY) {
174 int i, res;
175 incoming_logs = 0;
>>> CID 1353323: Memory - corruptions (OVERRUN)
>>> Checking "i < 2" implies that "i" may be up to 1 on the true branch.
176 for (i = 0; i < CONFIG_USB_PD_PORT_COUNT; ++i) {
177 /* only accessories who knows Google logging format */
178 if (pd_get_identity_vid(i) != USB_VID_GOOGLE)
179 continue;
180 res = pd_fetch_acc_log_entry(i);
181 if (res == EC_RES_BUSY) /* host should retry */
** CID 1353313: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1353313: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/common/inductive_charging.c: 84 in inductive_charging_deferred_update()
78 }
79 }
80
81 static void inductive_charging_deferred_update(void)
82 {
83 int lid_open = lid_is_open();
>>> CID 1353313: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 28 by passing argument "GPIO_BASE_CHG_VDD_EN" in call to "gpio_set_level".
84 gpio_set_level(GPIO_BASE_CHG_VDD_EN, !lid_open);
85 inductive_charging_interrupt(GPIO_LID_OPEN);
86 }
87 DECLARE_DEFERRED(inductive_charging_deferred_update);
88
89 static void inductive_charging_lid_update(void)
** CID 1353312: (OVERRUN)
________________________________________________________________________________________________________
*** CID 1353312: (OVERRUN)
/3rdparty/chromeec/common/inductive_charging.c: 43 in inductive_charging_interrupt()
37 inductive_charging_interrupt(GPIO_CHARGE_DONE);
38 }
39 DECLARE_DEFERRED(inductive_charging_monitor_charge);
40
41 void inductive_charging_interrupt(enum gpio_signal signal)
42 {
>>> CID 1353312: (OVERRUN)
>>> Overrunning callee's array of size 28 by passing argument "GPIO_BASE_CHG_VDD_EN" in call to "gpio_get_level".
43 int charger_enabled = gpio_get_level(GPIO_BASE_CHG_VDD_EN);
44 int charge_done = gpio_get_level(GPIO_CHARGE_DONE);
45 static int charge_already_done;
46
47 if (!monitor_charge_done && signal == GPIO_CHARGE_DONE)
48 return;
/3rdparty/chromeec/common/inductive_charging.c: 67 in inductive_charging_interrupt()
61 charge_already_done = 1;
62 else if (charge_already_done)
63 return;
64 }
65
66 if (!charger_enabled || charge_done) {
>>> CID 1353312: (OVERRUN)
>>> Overrunning callee's array of size 28 by passing argument "GPIO_CHARGE_EN" in call to "gpio_set_level".
67 gpio_set_level(GPIO_CHARGE_EN, 0);
68 } else {
69 gpio_set_level(GPIO_CHARGE_EN, 1);
70 /*
71 * When the charging is just enabled, there might be a
72 * blip on CHARGE_DONE. Wait for a second before we start
/3rdparty/chromeec/common/inductive_charging.c: 69 in inductive_charging_interrupt()
63 return;
64 }
65
66 if (!charger_enabled || charge_done) {
67 gpio_set_level(GPIO_CHARGE_EN, 0);
68 } else {
>>> CID 1353312: (OVERRUN)
>>> Overrunning callee's array of size 28 by passing argument "GPIO_CHARGE_EN" in call to "gpio_set_level".
69 gpio_set_level(GPIO_CHARGE_EN, 1);
70 /*
71 * When the charging is just enabled, there might be a
72 * blip on CHARGE_DONE. Wait for a second before we start
73 * looking at CHARGE_DONE.
74 */
** CID 1353311: (OVERRUN)
________________________________________________________________________________________________________
*** CID 1353311: (OVERRUN)
/3rdparty/chromeec/board/oak/led.c: 53 in bat_led_set()
47 case BAT_LED_AMBER:
48 /* for rev3 or later */
49 gpio_set_level(GPIO_BAT_LED0, on ? 0 : 1); /* BAT_LED_AMBER */
50 gpio_set_level(GPIO_BAT_LED1, on ? 0 : 1);
51 break;
52 case PWR_LED_GREEN:
>>> CID 1353311: (OVERRUN)
>>> Overrunning callee's array of size 28 by passing argument "GPIO_PWR_LED0" in call to "gpio_set_level".
53 gpio_set_level(GPIO_PWR_LED0, on ? 0 : 1); /* PWR_LED_GREEN */
54 break;
55 case PWR_LED_ORANGE:
56 gpio_set_level(GPIO_PWR_LED1, on ? 0 : 1); /* PWR_LED_ORANGE */
57 break;
58 default:
/3rdparty/chromeec/board/oak/led.c: 56 in bat_led_set()
50 gpio_set_level(GPIO_BAT_LED1, on ? 0 : 1);
51 break;
52 case PWR_LED_GREEN:
53 gpio_set_level(GPIO_PWR_LED0, on ? 0 : 1); /* PWR_LED_GREEN */
54 break;
55 case PWR_LED_ORANGE:
>>> CID 1353311: (OVERRUN)
>>> Overrunning callee's array of size 28 by passing argument "GPIO_PWR_LED1" in call to "gpio_set_level".
56 gpio_set_level(GPIO_PWR_LED1, on ? 0 : 1); /* PWR_LED_ORANGE */
57 break;
58 default:
59 return EC_ERROR_UNKNOWN;
60 }
61 return EC_SUCCESS;
** CID 1353309: (OVERRUN)
/3rdparty/chromeec/common/gpio.c: 260 in gpio_command_get()
/3rdparty/chromeec/common/gpio.c: 260 in gpio_command_get()
________________________________________________________________________________________________________
*** CID 1353309: (OVERRUN)
/3rdparty/chromeec/common/gpio.c: 260 in gpio_command_get()
254 args->response_size = sizeof(r_v1->get_count);
255 break;
256 case EC_GPIO_GET_INFO:
257 if (p_v1->get_info.index >= GPIO_COUNT)
258 return EC_RES_ERROR;
259
>>> CID 1353309: (OVERRUN)
>>> Assigning: "i" = "(*p_v1).get_info.index". The value of "i" may now be up to 47.
260 i = p_v1->get_info.index;
261 len = strlen(g[i].name);
262 memcpy(r_v1->get_info.name, g[i].name, len+1);
263 r_v1->get_info.val = gpio_get_level(i);
264 r_v1->get_info.flags = g[i].flags;
265 args->response_size = sizeof(r_v1->get_info);
/3rdparty/chromeec/common/gpio.c: 260 in gpio_command_get()
254 args->response_size = sizeof(r_v1->get_count);
255 break;
256 case EC_GPIO_GET_INFO:
257 if (p_v1->get_info.index >= GPIO_COUNT)
258 return EC_RES_ERROR;
259
>>> CID 1353309: (OVERRUN)
>>> Assigning: "i" = "(*p_v1).get_info.index". The value of "i" may now be up to 43.
260 i = p_v1->get_info.index;
261 len = strlen(g[i].name);
262 memcpy(r_v1->get_info.name, g[i].name, len+1);
263 r_v1->get_info.val = gpio_get_level(i);
264 r_v1->get_info.flags = g[i].flags;
265 args->response_size = sizeof(r_v1->get_info);
** CID 1353308: (OVERRUN)
/3rdparty/chromeec/common/gpio.c: 261 in gpio_command_get()
/3rdparty/chromeec/common/gpio.c: 261 in gpio_command_get()
________________________________________________________________________________________________________
*** CID 1353308: (OVERRUN)
/3rdparty/chromeec/common/gpio.c: 261 in gpio_command_get()
255 break;
256 case EC_GPIO_GET_INFO:
257 if (p_v1->get_info.index >= GPIO_COUNT)
258 return EC_RES_ERROR;
259
260 i = p_v1->get_info.index;
>>> CID 1353308: (OVERRUN)
>>> Overrunning array of 28 16-byte elements at element index 47 (byte offset 752) by dereferencing pointer "g + i".
261 len = strlen(g[i].name);
262 memcpy(r_v1->get_info.name, g[i].name, len+1);
263 r_v1->get_info.val = gpio_get_level(i);
264 r_v1->get_info.flags = g[i].flags;
265 args->response_size = sizeof(r_v1->get_info);
266 break;
/3rdparty/chromeec/common/gpio.c: 261 in gpio_command_get()
255 break;
256 case EC_GPIO_GET_INFO:
257 if (p_v1->get_info.index >= GPIO_COUNT)
258 return EC_RES_ERROR;
259
260 i = p_v1->get_info.index;
>>> CID 1353308: (OVERRUN)
>>> Overrunning array of 28 16-byte elements at element index 43 (byte offset 688) by dereferencing pointer "g + i".
261 len = strlen(g[i].name);
262 memcpy(r_v1->get_info.name, g[i].name, len+1);
263 r_v1->get_info.val = gpio_get_level(i);
264 r_v1->get_info.flags = g[i].flags;
265 args->response_size = sizeof(r_v1->get_info);
266 break;
** CID 1353307: (OVERRUN)
/3rdparty/chromeec/common/gpio.c: 169 in command_gpio_get()
/3rdparty/chromeec/common/gpio.c: 169 in command_gpio_get()
________________________________________________________________________________________________________
*** CID 1353307: (OVERRUN)
/3rdparty/chromeec/common/gpio.c: 169 in command_gpio_get()
163 ccprintf(" %d%c %s\n", v, (changed ? '*' : ' '), g->name);
164
165 return EC_SUCCESS;
166 }
167
168 /* Otherwise print them all */
>>> CID 1353307: (OVERRUN)
>>> Checking "i < GPIO_COUNT" implies that "i" may be up to 47 on the true branch.
169 for (i = 0; i < GPIO_COUNT; i++, g++) {
170 if (!g->mask)
171 continue; /* Skip unsupported signals */
172
173 v = gpio_get_level(i);
174 changed = last_val_changed(i, v);
/3rdparty/chromeec/common/gpio.c: 169 in command_gpio_get()
163 ccprintf(" %d%c %s\n", v, (changed ? '*' : ' '), g->name);
164
165 return EC_SUCCESS;
166 }
167
168 /* Otherwise print them all */
>>> CID 1353307: (OVERRUN)
>>> Checking "i < GPIO_COUNT" implies that "i" may be up to 43 on the true branch.
169 for (i = 0; i < GPIO_COUNT; i++, g++) {
170 if (!g->mask)
171 continue; /* Skip unsupported signals */
172
173 v = gpio_get_level(i);
174 changed = last_val_changed(i, v);
** CID 1353306: (OVERRUN)
/3rdparty/chromeec/common/gpio.c: 170 in command_gpio_get()
/3rdparty/chromeec/common/gpio.c: 170 in command_gpio_get()
________________________________________________________________________________________________________
*** CID 1353306: (OVERRUN)
/3rdparty/chromeec/common/gpio.c: 170 in command_gpio_get()
164
165 return EC_SUCCESS;
166 }
167
168 /* Otherwise print them all */
169 for (i = 0; i < GPIO_COUNT; i++, g++) {
>>> CID 1353306: (OVERRUN)
>>> Overrunning array of 28 16-byte elements at element index 47 (byte offset 752) by dereferencing pointer "g".
170 if (!g->mask)
171 continue; /* Skip unsupported signals */
172
173 v = gpio_get_level(i);
174 changed = last_val_changed(i, v);
175 ccprintf(" %d%c %s\n", v, (changed ? '*' : ' '), g->name);
/3rdparty/chromeec/common/gpio.c: 170 in command_gpio_get()
164
165 return EC_SUCCESS;
166 }
167
168 /* Otherwise print them all */
169 for (i = 0; i < GPIO_COUNT; i++, g++) {
>>> CID 1353306: (OVERRUN)
>>> Overrunning array of 28 16-byte elements at element index 43 (byte offset 688) by dereferencing pointer "g".
170 if (!g->mask)
171 continue; /* Skip unsupported signals */
172
173 v = gpio_get_level(i);
174 changed = last_val_changed(i, v);
175 ccprintf(" %d%c %s\n", v, (changed ? '*' : ' '), g->name);
** CID 1353305: (OVERRUN)
/3rdparty/chromeec/common/gpio.c: 33 in find_signal_by_name()
/3rdparty/chromeec/common/gpio.c: 33 in find_signal_by_name()
________________________________________________________________________________________________________
*** CID 1353305: (OVERRUN)
/3rdparty/chromeec/common/gpio.c: 33 in find_signal_by_name()
27 int i;
28
29 if (!name || !*name)
30 return GPIO_COUNT;
31
32 for (i = 0; i < GPIO_COUNT; i++, g++) {
>>> CID 1353305: (OVERRUN)
>>> Overrunning array of 28 16-byte elements at element index 47 (byte offset 752) by dereferencing pointer "g".
33 if (g->mask && !strcasecmp(name, g->name))
34 return i;
35 }
36
37 return GPIO_COUNT;
38 }
/3rdparty/chromeec/common/gpio.c: 33 in find_signal_by_name()
27 int i;
28
29 if (!name || !*name)
30 return GPIO_COUNT;
31
32 for (i = 0; i < GPIO_COUNT; i++, g++) {
>>> CID 1353305: (OVERRUN)
>>> Overrunning array of 28 16-byte elements at element index 43 (byte offset 688) by dereferencing pointer "g".
33 if (g->mask && !strcasecmp(name, g->name))
34 return i;
35 }
36
37 return GPIO_COUNT;
38 }
** CID 1353304: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1353304: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/common/mkbp_event.c: 39 in set_host_interrupt()
33 /**
34 * Assert host keyboard interrupt line.
35 */
36 static void set_host_interrupt(int active)
37 {
38 /* interrupt host by using active low EC_INT signal */
>>> CID 1353304: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 28 by passing argument "GPIO_EC_INT_L" in call to "gpio_set_level".
39 gpio_set_level(GPIO_EC_INT_L, !active);
40 }
41
42 void mkbp_send_event(uint8_t event_type)
43 {
44 set_event(event_type);
** CID 1353302: Memory - illegal accesses (OVERRUN)
/3rdparty/chromeec/chip/stm32/keyboard_raw.c: 66 in keyboard_raw_drive_column()
________________________________________________________________________________________________________
*** CID 1353302: Memory - illegal accesses (OVERRUN)
/3rdparty/chromeec/chip/stm32/keyboard_raw.c: 66 in keyboard_raw_drive_column()
60
61 for (i = 0; i < ARRAY_SIZE(kb_out_ports); i++) {
62 uint32_t bsrr = 0;
63 int j;
64
65 for (j = GPIO_KB_OUT00; j <= GPIO_KB_OUT12; j++) {
>>> CID 1353302: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "gpio_list" of 28 16-byte elements at element index 34 (byte offset 544) using index "j" (which evaluates to 34).
66 if (gpio_list[j].port != kb_out_ports[i])
67 continue;
68
69 if (out == KEYBOARD_COLUMN_ALL) {
70 /* drive low (clear bit) */
71 bsrr |= gpio_list[j].mask << 16;
** CID 1353298: (OVERRUN)
________________________________________________________________________________________________________
*** CID 1353298: (OVERRUN)
/3rdparty/chromeec/chip/mec1322/keyboard_raw.c: 37 in keyboard_raw_drive_column()
31
32 test_mockable void keyboard_raw_drive_column(int out)
33 {
34 if (out == KEYBOARD_COLUMN_ALL) {
35 MEC1322_KS_KSO_SEL = 1 << 5; /* KSEN=0, KSALL=1 */
36 #ifdef CONFIG_KEYBOARD_COL2_INVERTED
>>> CID 1353298: (OVERRUN)
>>> Overrunning callee's array of size 28 by passing argument "GPIO_KBD_KSO2" in call to "gpio_set_level".
37 gpio_set_level(GPIO_KBD_KSO2, 1);
38 #endif
39 } else if (out == KEYBOARD_COLUMN_NONE) {
40 MEC1322_KS_KSO_SEL = 1 << 6; /* KSEN=1 */
41 #ifdef CONFIG_KEYBOARD_COL2_INVERTED
42 gpio_set_level(GPIO_KBD_KSO2, 0);
/3rdparty/chromeec/chip/mec1322/keyboard_raw.c: 42 in keyboard_raw_drive_column()
36 #ifdef CONFIG_KEYBOARD_COL2_INVERTED
37 gpio_set_level(GPIO_KBD_KSO2, 1);
38 #endif
39 } else if (out == KEYBOARD_COLUMN_NONE) {
40 MEC1322_KS_KSO_SEL = 1 << 6; /* KSEN=1 */
41 #ifdef CONFIG_KEYBOARD_COL2_INVERTED
>>> CID 1353298: (OVERRUN)
>>> Overrunning callee's array of size 28 by passing argument "GPIO_KBD_KSO2" in call to "gpio_set_level".
42 gpio_set_level(GPIO_KBD_KSO2, 0);
43 #endif
44 } else {
45 #ifdef CONFIG_KEYBOARD_COL2_INVERTED
46 if (out == 2) {
47 MEC1322_KS_KSO_SEL = 1 << 6; /* KSEN=1 */
/3rdparty/chromeec/chip/mec1322/keyboard_raw.c: 48 in keyboard_raw_drive_column()
42 gpio_set_level(GPIO_KBD_KSO2, 0);
43 #endif
44 } else {
45 #ifdef CONFIG_KEYBOARD_COL2_INVERTED
46 if (out == 2) {
47 MEC1322_KS_KSO_SEL = 1 << 6; /* KSEN=1 */
>>> CID 1353298: (OVERRUN)
>>> Overrunning callee's array of size 28 by passing argument "GPIO_KBD_KSO2" in call to "gpio_set_level".
48 gpio_set_level(GPIO_KBD_KSO2, 1);
49 } else {
50 MEC1322_KS_KSO_SEL = out + CONFIG_KEYBOARD_KSO_BASE;
51 gpio_set_level(GPIO_KBD_KSO2, 0);
52 }
53 #else
/3rdparty/chromeec/chip/mec1322/keyboard_raw.c: 51 in keyboard_raw_drive_column()
45 #ifdef CONFIG_KEYBOARD_COL2_INVERTED
46 if (out == 2) {
47 MEC1322_KS_KSO_SEL = 1 << 6; /* KSEN=1 */
48 gpio_set_level(GPIO_KBD_KSO2, 1);
49 } else {
50 MEC1322_KS_KSO_SEL = out + CONFIG_KEYBOARD_KSO_BASE;
>>> CID 1353298: (OVERRUN)
>>> Overrunning callee's array of size 28 by passing argument "GPIO_KBD_KSO2" in call to "gpio_set_level".
51 gpio_set_level(GPIO_KBD_KSO2, 0);
52 }
53 #else
54 MEC1322_KS_KSO_SEL = out + CONFIG_KEYBOARD_KSO_BASE;
55 #endif
56 }
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvQ-3D-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5aBuA29UQJqlM19S124cTZsxkUB6KW5FpeltynRyDdy-2FDQ2XQluJoDdPg-2FGG0BMXtnTQYXbf7E6XUvHsc36TNfmES2BK62V73CJtp1rWHlY3Bg1KeRvNlW0IK0-2BkGvOLIWjDfsEwE7aHd09Nke2eumwEi6txr-2Fut5ewkfTYcMlU2g-3D-3D
To manage Coverity Scan email notifications for "coreboot at coreboot.org", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4e-2BpBzwOa5gzBZa9dWpDbzfofODnVj1enK2UkK0-2BgCCqyeem8IVKvTxSaOFkteZFcnohwvb2rnYNjswGryEWCURnUk6WHU42sbOmtOjD-2Bx5c-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5aBuA29UQJqlM19S124cTZsYe1nD-2Fn4das-2BAnGC0jm866ik62lGBw-2F-2FmQORZJiNN6rPEEr5tACvl4gik7RaZhHhvs3Q2RUKlUH0eh-2BQj74enzED9wLrBx4J8hNSEJnRJ4Vu6cSeIc6z2jJAV3dy2g7-2B-2Fub-2FNVnbqXSigjRooakNZw-3D-3D
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.coreboot.org/pipermail/coreboot/attachments/20160729/12560b72/attachment.html>
More information about the coreboot
mailing list